Integrated circuits with persistent data storage

ABSTRACT

The circuitry introduced in this invention selectively slows down the functioning of an electronic circuit maintaining a particular state for a prolonged period of time. This circuitry is used not only to achieve the desired effect in maintaining security from electronic thieves trying to circumvent codes but also in other applications such as enabling a circuit to continue to function in the event of a brief loss of power. For example, in an RFID system, if a reader is frequency hopping, a tag loses power for as long as about 400 milliseconds when the reader changes to other frequencies. In a preferred embodiment, the disclosed circuitry is used in conjunction with a destruct sequence.

RELATED APPLICATIONS

This application is a continuation of and claims priority from co-pending U.S. patent application Ser. No. 13/900,296, filed on May 22, 2013, which is a continuation of U.S. patent application Ser. No. 13/276,222, filed Oct. 18, 2011, which issued as U.S. Pat. No. 8,464,957 on Jun. 18, 2013, which is a continuation of and claims priority from Ser. No. 12/111,140, filed Apr. 28, 2008, which issued as U.S. Pat. No. 8,056,818 on Nov. 15, 2011, which is a continuation of and claims priority from U.S. patent application Ser. No. 11/264,573, filed Oct. 31, 2005, which issued as U.S. Pat. No. 7,377,445 on May 27, 2008, which is a continuation of and claims priority from U.S. patent application Ser. No. 11/153,030 filed on Jun. 14, 2005, which issued as U.S. Pat. No. 7,364,084 on Apr. 29, 2008, which is a divisional application of and claims priority from U.S. patent application Ser. No. 10/140,589 filed on May 7, 2002, which issued as U.S. Pat. No. 6,942,155 on Sep. 13, 2005, and which claims priority from U.S. Provisional Patent Application entitled “ICs with Persistent Data Storage,” filed on May 31, 2001 under Ser. No. 60/294,661 and which is herein incorporated by reference in its entirety.

FIELD OF THE INVENTION

The present invention relates to radio frequency identification (RFID), and more particularly, this invention relates to persistent data storage in an RFID tag.

BACKGROUND OF THE INVENTION

Radio frequency identification (RFID) is a technology that incorporates the use of electromagnetic or electrostatic coupling in the radio frequency (RF) portion of the electromagnetic spectrum to uniquely identify an object, animal, or person. RFID is coming into increasing use in industry as an alternative to the bar code. The advantage of RFID is that it does not require direct contact or line-of-sight scanning. RFID is sometimes also called dedicated short range communication (DSRC).

In an RFID system multiple wireless tags are interrogated by sending information from an interrogating transmitter to the tags and having information transmitted by the tag in response. This is commonly accomplished by having the tag listen for an interrogation and for it to respond with a unique serial number and/or other information. However, it is desirable to extend the range of wireless tags so that it is not necessary to bring each tag close to a reader for reading. Three problems are evident when extending the range of the reading system. One of the problems is that there is limited power available for transmission from the wireless tag. Two, if the range is significant, it is possible that many tags will be within range of the interrogating system and their replies may corrupt each other. And, three, tag power supply levels will vary during their dialog with readers and may even be frequently interrupted entirely for periods up to one second.

RFID tags can be used to identify items. And, as outlined, there are known methods that enable one specific tag in a group of many tags to be interrogated without corruption by other tags of information sent by that one particular tag to the reader and without accidental transmission of data or commands to other tags of information sent to that particular tag.

The least expensive tags usually have EEPROM or read only memory. This is adequate for identifying a tag and for executing a purchase. However, at times, the purchaser might require privacy after the purchase so that another party cannot perform a scan and learn the contents of that purchaser's purse, car or home.

Thus, there are times when it is desirable to permanently disable or destroy an RFID tag after purchase. Furthermore, when a tag is destroyed it is desirable that other tags within range of the disabling device, typically a reader, are not also destroyed.

Although there are times when it would be desirable to intentionally and selectively destroy a tag so that it is no longer possible to read the information encoded on that tag, at the same time, it is also important to not create an opportunity for theft.

It would also be desirable to keep the cost of a tag and peripheral equipment to a minimum, and to enable rapid interrogation of a tag. One means of achieving these goals is in using short code lengths, for example 8 bits. However, an eight bit code has only 256 possible permutations and its protective effect can be circumvented by use of various electronic devices. It would therefore also be desirable to inhibit the use of electronic means that rapidly transmit all permutations of a code in order to circumvent a device's security.

Likewise, it is also important that certain tag states like the SLEEP/WAKE or other command states persist even through short interruptions of the power supply.

DISCLOSURE OF THE INVENTION

One method of achieving the goals set forth above would be to introduce a delay between the time when an incorrect code is input and the device can be reset and ready to recognize and evaluate the next code that is transmitted to the device. However, in order to introduce such a method, one must selectively slow down an inherently fast electronic circuit. That is, it is desirable to retain the speed of that circuit in some circumstances instances and to slow it down in other circumstances.

The circuitry introduced in this invention selectively slows down the functioning of an electronic circuit by maintaining a particular state for a prolonged period of time. This circuitry is used not only to achieve the desired effect in maintaining security from electronic thieves trying to circumvent codes but also in other applications such as enabling a circuit to continue to function in the event of a brief loss of power. For example, in an RFID system, if a reader is frequency hopping, a tag loses power for as long as about 400 milliseconds when the reader changes to other frequencies.

In one embodiment, the disclosed circuitry is used in conjunction with a destruct sequence. The destruct sequence of commands comprises an identity match; followed by a correct response; followed by a purchase. The cash register reader then provides a unique 8-bit DESTRUCT code within 5 seconds; which then creates a minimum 5 second window in which the tag can be destroyed within a range of 10 cm. Receipt of further DESTRUCT commands is automatically disabled for 5 seconds or more after any unsuccessful destruct attempt.

BRIEF DESCRIPTION OF THE DRAWINGS

For a fuller understanding of the nature and advantages of the present invention, as well as the preferred mode of use, reference should be made to the following detailed description read in conjunction with the accompanying drawings.

FIG. 1 depicts an RFID system according to one embodiment.

FIG. 2 is a diagram of an embodiment of the invention in a PMOS circuit.

FIG. 3 illustrates the timing relationship of the voltage at V.sub.IN, Node A and Node B of FIG. 2.

FIG. 4 illustrates the structure of the invention according to one embodiment.

FIG. 5 is a diagram of an embodiment of the invention in an NMOS circuit.

DETAILED DESCRIPTION

The following description is the best embodiment presently contemplated for carrying out the present invention. This description is made for the purpose of illustrating the general principles of the present invention and is not meant to limit the inventive concepts claimed herein.

FIG. 1 depicts an RFID system 100 according to one embodiment. As shown, the system includes three components: an antenna 102 and transceiver 104 (here combined into one reader 106) and one or more transponders 108 (the tags). The transceiver is a combination transmitter/receiver in a single package. The antenna uses radio frequency waves to transmit a signal that activates a tag. When activated, the tag transmits data back to the antenna. The data is used to notify a programmable logic controller 110 that an action should occur. The action could be as simple as raising an access gate or as complicated as interfacing with a database to carry out a monetary transaction. High and low-frequency systems may be used in any of the embodiments described herein. Illustrative low-frequency RFID systems (30 KHz to 15 MHz) have short transmission ranges (generally less than six feet). Illustrative high-frequency RFID systems (850 MHz to 950 MHz and 2.4 GHz to 2.5 GHz) offer longer transmission ranges (more than 90 feet).

FIGS. 2 and 5 illustrate destruct circuits 200, 500 that utilize the timing structure of the invention. The disable circuit 200 illustrated in FIG. 2 comprises a timing delay that is unique and that is connected to trigger any of a number of known disabling means 202. FIG. 2 illustrates timing delay logic 204 and an example of a known disabling means 202 in the dotted box on the left. The disabling means 202 illustrated will blow a fuse and destruct when current passes from the AND gate 206 of the timing delay logic circuit and enters the disabling circuit 202. One skilled in the art will recognize that a disabling circuit with a fuse, an anti-fuse, EEPROM (or other non-volatile memory or element) or any other circuit suitable for temporarily or permanently disabling the chip can be substituted for the disabling means illustrated in FIG. 2. The exact disabling means selected may be chosen on the basis of the effect one wishes to achieve.

As for the timing logic 204 of the circuits illustrated, the logic presented is unique. The logic comprises at least one and preferably three or more inverters 210, a dielectric, shielded capacitor or other low-leakage charge storage device (see FIG. 4) 208, an NMOS Q.sub.1 (Note that a PMOS or other transistor can be used with minor modification to the logic design as would be recognized by one skilled in the art.), and an AND enable gate 206. Importantly, regardless of whether the power is high or low, all the leakage is through the junction to ground and occurs equally fast whether or not the power is on.

With an N device (NMOS) all leakage is to ground. The advantage of the N circuits shown in FIGS. 2 and 5 is that they guarantee that both source drain leakage and junction leakage is to ground. FIG. 2 is a preferred bootstrap circuit which avoids offset between node A and B. FIG. 5 is a simpler NMOS circuit without bootstrap.

Therefore, during the time out interval both the junction and all significant drain leakage paths (drain-to-source and drain-to-substrate) must go to ground, whether a PMOS or NMOS is used.

One skilled in the art can operate this circuit in the opposite polarity using P transistors or diodes by storing a negative voltage and allowing leakage to occur to the more positive level.

In the circuits illustrated in FIGS. 2 and 5 both illustrate two capacitors in parallel, the intended storage on the dielectric capacitor, and there is a parasitic junction capacitance between the drain node and ground. See FIG. 4.

One should note that depending on the exact design of the circuit and its intended use one would use an odd number of inverters (as in the NMOS circuit of FIG. 2) if one wishes the voltage at node A to be low during the timeout interval when the input voltage is high and an even number of inverters (as in the NMOS circuit in FIG. 5) if one wishes the voltage at node A to be high during the timeout interval when the input voltage is high.

It is further noted that the use of a series of inverters in FIGS. 2 and 5 is for example only. One skilled in the art will recognize that other logic can be substituted provided that the constraints noted for the PMOS and NMOS circuits are met.

The AND gate is enabled when the correct disable (or destruct) code is received at the AND data input from the code controller 212 (see FIGS. 2 and 5) and the proper voltage (high or low) is received at the AND control input. In the case of the logic illustrated the AND control voltage must be high. The capacitor is preferably a double polysilicon structure consisting of an intermediate conductor sandwiched between two polysilicon shields, yet insulated from them by an insulator such as silicon nitride or silicon dioxide. When the NMOS transistor is turned off, no signal arrives at the AND control input. The NMOS transistor is preferably a minimum sized transistor, which provides a very small semiconductor path, and only minimum depletion region volume, and is used to charge the capacitor, which has a very large capacitance and is dielectrically isolated, with negligible leakage. The time constant of the dielectric capacitance portion of this circuit exceeds 10 seconds and most preferably is hundreds of years in contrast to the junction capacitance portion of this circuit which is typically less than one second at room temperature.

The circuit functions as follows. When the voltage input is high the NMOS transistor is in a high impedance state and the voltage at the end of the series of three invertors is low, so that no voltage is available to the capacitor and the AND gate. When the voltage input is low, the NMOS switch will conduct and the voltage at the end of the series of three invertors is high and is available to charge the capacitor.

The capacitor is initially charged and must remain charged to initiate destruction of the tag. If the correct code is entered and Node B is high, the AND gate transmits a high voltage to the disable circuit and the fuse is blown and the tag is destroyed. Thus, the first time one tries to activate the system it operates quickly if the correct code is entered.

If the code entered is not correct, the timing logic circuit will time out and create a time delay (preferably at least 5 seconds) that one must wait before entering another code. This state is “tenacious” so that a large 1-5 second delay is incurred over the IC chip even if the chip is powered down several times during this interval. These “tenacious” latch states do not reset quickly, even after the tag power is interrupted and subsequently restarted. In particular, as there is virtually no possibility of leakage through the AND gate, the capacitor leaks slowly through the NMOS transistor drain region shown in FIG. 2, as connected to Node B. The capacitance of the dielectric capacitor is much greater than the capacitance across the NMOS junction capacitance such that the time constant at node B is increased to greater than one second, even at room temperature.

Electronic devices normally have very fast time constants, but this structure guarantees a long time constant one-shot whether the chip is powered or not. Preferably, the one-shot circuit has a timing interval of greater than one second at room temperature independent of power fluctuations. Room temperature is preferably an operating range of the tag, such as within ten degrees of .about.20 degrees Celsius (i.e., .about.10 degrees Celsius to .about.30 degrees Celsius).

Since it is desirable to use a shorter code (for example 8-bits) as the disable code, it is important to provide a time delay that would prevent someone from rapidly entering the various (256 for an eight bit code) permutations of the code.

This circuit structure for building “tenacious latches” is also applicable for stabilizing other storage nodes, such as, for example, a “sleep/wake latch” and a 3-bit “channel-code latch.” The device also has application in an E.sup.2 PROM.

The circuits according to preferred embodiments function as follows. The first time a command to destruct is sent to the chip, the chip receives a signal to enable the destruct circuit and a destruct code. The destruct code (for example an 8-bit destruct code) enters the circuit through a gate 206 and passes through to the code comparator 212. Next, the voltage at node B (see FIGS. 2 and 5) is driven high. If the code comparator subsequently determines that the code is correct, a signal is transmitted through the AND gate and disabling means (the logic inside the dotted lines on the left of FIGS. 2 and 5) is activated, the fuse blows and the chip destructs.

On the other hand, if the code comparator determines the code to be incorrect, no signal passes through the AND gate and the disabling means is not activated.

In the event that the enabling means is not activated the capacitor remains charged and then leaks slowly. At the same time voltage is transmitted (see FIGS. 2 and 5) from node B as a control signal to the gate 206 (or other extremely low leakage logic) to disable the gate and prevent transmission of any code through the gate until the voltage at node B goes low.

Thus, if the initial destruct code entered is correct, the high voltage at node B enables the activation of the disable circuit, but if the initial destruct code entered is incorrect the high voltage state at B disables the further transmission of any code to the code comparator until the voltage at node B returns to a logic zero level of typically less than 0.5 volts.

Typically, in integrated circuits the state at node B would change rapidly in line with the change in state of the input voltage (V_(IN)) into the circuit. The structure of the timing delay, however, maintains the voltage at node B in a high state for a significant period of time, for example 1-5 seconds, even if the state of the input voltage changes or the power supply is interrupted. Thus node B is a “tenacious” or semi-volatile node. The state of node B is maintained high because leakage from the capacitor can only travel toward the junction, transistor Q₁ in FIGS. 2 and 5. Leakage through the gate 206 and dielectric capacitor 208 are negligible.

The timing relationship between node A and node B is illustrated in FIG. 3. The input must rise first and therefore cut off the transistor Q₁ after node A begins to drop towards ground. During the time out interval, node B junction leakage is coupled only to ground and not to any other voltage independent of whether the chip is powered or not. The time out interval corresponds to the time when the capacitor is charged and leaking.

FIG. 4 shows the structure of the invention 400 according to a preferred embodiment. Node B is physically connected to the inner layer of dielectric capacitor C_(d) (or other high ultra-low leakage capacitance device), and again, is grounded during the time out interval. C_(d) is a dielectric capacitor that, typically, has upper and lower polysilicon layers. In C_(d), most of the capacitance is due to a non-conductive oxide that maximizes capacitance and has an extremely long time constant. On the other hand the capacitance C_(j) of the junction is minimized since it has a time constant of only a few milliseconds. A unique feature of the timing structure is that the combination of a dielectric capacitor and junction capacitor, in a structure that mainly takes advantage of the high dielectric capacitance and that minimizes the junction capacitance, gives the structure a time constant measured in seconds. A requirement of the structure is that the dielectric capacitance is at least ten times greater than the junction capacitance.

Importantly, one should note that the structure disclosed in this invention can be put into a miniature integrated circuit. The structure is an integrated tenacious node that comprises its own capacitor. The capacitor is typically a high quality SiO₂ or SiO₃N₄ capacitor that can be integrated onto a microchip or even smaller integrated circuit. Ferroelectric material also can be used to make the capacitor.

One skilled in the art will recognize that any device that might suffer from a loss of power will benefit from a tenacious storage state or latch.

In a preferred embodiment, the disclosed circuitry is used in conjunction with a destruct sequence. The destruct sequence of commands comprises an identity match; followed by a correct response; followed by a purchase. The cash register reader then provides a unique 8-bit DESTRUCT code within 5 seconds; which then creates a minimum 5 second window in which the tag can be destroyed within a range of 10 cm. Receipt of further DESTRUCT commands is automatically disabled for 5 seconds or more after any unsuccessful destruct attempt.

Thus, there are times when it is desirable to permanently disable or destroy an RFID tag after purchase. Furthermore, when a tag is destroyed it is desirable that other tags within range of the disabling device, typically a reader, are not also destroyed.

In one scenario, a destruct sequence is performed on a selected tag. The selected tag may be sufficiently close to the reader or previously known to be unique so that no specific procedure need be undertaken to select the tag.

Alternatively, the tag may be one of many tags within range of the reader. In this case an anti-collision procedure might need to be performed to select the tag, that is, to prevent information from and to the tag from being corrupted by other tags. There are a number of known methods of performing anti-collision to select one specific RF tag from many RF tags responding to a given reader signal.

Once the tag is selected the destruct sequence begins. The destruct sequence leads to the permanent destruction of the tag provided that the circuitry of the tag is designed to destroy the tag when the appropriate sequencing conditions are met.

Once the tag is selected and its identity is believed to be known, a destruct sequence is performed. The destruct sequence comprises a series of steps in the following sequence: an ID CONFIRMATION, a PURCHASE, DESTRUCT CODE TRANSMISSION and VERIFICATION AND DESTRUCTION. Furthermore, a REQUEST FOR DESTRUCTION must occur somewhere during the sequence.

It is important to emphasize that there can be different levels of security. Someone taking inventory may be able to access certain tag information, but will not be allowed to disable or destroy the tag. For example, the person taking inventory may have access to a CONFIRM CODE to verify a tag's identity but not to other steps in a disable or destroy sequence or may have access to a Confirm Code to start a destruct sequence but not to a second special Destruct Code required to complete a destruct sequence. Other personnel, for example a checkout person might have access to all the necessary means to initiate a destruct sequence to destruct a tag.

An example of the use of a CONFIRM CODE is that at the end of a search, a reader calculates an 8-bit CRC (sufficient to enable the tag to detect multiple bit errors) and sends the CRC to the tag. The tag compares the CRC with a pre-calculated 8-bit code and mutes if there is no match. If the codes match on the tag, the tag will send another stored 8-bit code back to the reader.

The second step is the PURCHASE. Once a purchase is made, the ability to download a disable or destruct code is permitted. That is, the purchase of the item makes it possible to download the code required to destroy a tag. The DESTRUCT CODE can be, for example a unique 8 bit code.

It is noted that in certain circumstances either the purchaser or the seller may choose to not destroy the tag. Thus, even if a purchase has been made, a request for destruction must be present in order to send the DESTRUCT CODE to the tag. It should also be noted that under other circumstances, for example when an item is a final sale and cannot be returned, a purchase triggers an automatic request for destruction.

The third step is DESTRUCT CODE TRANSMISSION. In the DESTRUCT CODE TRANSMISSION step, provided that a REQUEST FOR DESTRUCTION has been made during the sequence, the destruct code is downloaded and transmitted to the tag.

The fourth step is DISABLEMENT or DESTRUCT. The tag confirms that the destruct code is valid and destroys the tag.

In a preferred embodiment, the destruct sequence of commands comprises an identity match; followed by a correct response; followed by a purchase. The cash register reader then may (or may not) provide a unique 8-bit DESTRUCT Code, after which the tag configures itself for destruction, verifies that the DESTRUCT CODE is valid, and is subsequently destroyed by having the tag within a range of, for example, 10 cm from the reader. Receipt of further destruct commands is automatically disabled for 5 seconds or more after any unsuccessful destruct attempt.

While various embodiments have been described above, it should be understood that they have been presented by way of example only, and not limitation. Thus, the breadth and scope of a preferred embodiment should not be limited by any of the above-described exemplary embodiments, but should be defined only in accordance with the following claims and their equivalents. 

What is claimed is:
 1. A method for a radio frequency identification (RFID) tag comprising: receiving a first code transmitted by an RFID reader, the first code generated by an XOR calculation; comparing a second code within the tag to the first code; if the first code and second code do not match, muting by the tag; and if the first code and second code match, transmitting by the tag a third code to the RFID reader. 